Slashdot Mirror
Microsoft Installs New Software Without Permission
Futurepower(R) writes "Even though I have Automatic Updates turned off, on August 28, 2007, between 3:49 and 3:51 AM PDT, Microsoft installed new files on my Windows XP computer." Nine files are updated on Vista and on XP SP1, a different set of on each, relating to Windows Update itself. Microsoft-watch.com's Joe Wilcox and ZDnet's Adrian Kingsley-Hughes confirm the stealth update.
Block M$ from having an interwebs connection and update from windiz, works even if they decided to ignore your settings.
They fitted George Orwell's coffin with rollers so he could turn over more easily years ago.
You'll take your nanites, and you'll like them!
...I cant see how anyone on /. would ever object.
Anyone want popcorn?
That's the proprietary software world for you.
The solution is simple, install Ubuntu.
Under cygwin, you can type:
/cygdrive/c/windows/system32/wuapi.dll | grep 7\.0\.6
strings
If you get back something like:
7.0.6000.381
7.0.6000.381 (winmain(wmbla).070730-1740)
7.0.6000.381
then Microsoft has secretly updated you.
My blog
I'm pretty sure the EULA states somewhere MS can do this. You agree to it when clicking that little checkbox for accepting the license when installing the damn OS.
It would be nice to know the IP address that is being contacted here. With that, automatic update could be turned off at the router/firewall. If you trust Microsoft you always get punished.
I'm an American. I love this country and the freedoms that we used to have.
Is it me or does this just seem down right nasty?
If a person who uses vista or xp did not want any updates to their OS, they turn off Automatic updates. It's their choice. Where does Microsoft get off thinking that something like this is acceptable?
If I ran either of those operating systems, I would probably file a lawsuit, as to me that is a huge invasion of privacy. If they can force you to update those few files, they can absolutely view any and every file on your computer.
Although, this should come as no surprise...
You chose to use proprietary software from a company that uses its control to illegally maintain a monopoly. You really think they are going to be bothered to care wether you give permission to update that software any damn time they want, for whatever reason they want? (And/or, a company that produces shoddy unstable 'oh look its shiny' software for nincompoops and that they are competent enough to actually be able to keep track properly)
There is no halfway. Eiher you give control of your system to Microsoft, or you dont (by not running *ANY* Microsoft software). If you have a problem with the agreement that you choose to let MS impose on you, take it up with MS (or their local sychophants, or your attorney). Why annoy people who dont care?
I'd give it six months and this will be used to enforce install of WGA on every windows machine.
Why would you want to run an unpatched XP box?
Why should you have to?
It could be worse, it could be Monday.
I wonder if this still happens even if you have set the Automatic Updates service to 'Disabled' in services, rather than using the control panel applet which tells it not to update but still leaves the service running.
Probably a good idea to disable the BITS service too.
Can they pull? Interesting question to ask I think.
license? Do you own your copy of windows? No. You are only licensed to use it under their terms. Do you own M$ Office? No. You are only licensed to use it. If Microsoft wants to change their files on your computer they can. Also read carefully because some licenses of Microsoft actually claim that were you to so much as add any hardware you no longer are licensed and your windows copy will be in validated. I use linux, I don't have these problems. It has never been that Linux was a superior operating system. I mean for the longest time I had to deal with so much shit to to listen to an mp3. BUT the one thing about Linux is Your copy is Your copy to share and to see everythijg it does. Using linux was the first time I could take my Foil Hat off in years.
Does wmbla stand for Windows Man Boy Love Association???
Boy I need to spend time away from the interweb
Does this mean that somewhere hidden deep in the API is the ability to automatically download and install files without user consent? Does this mean that somebody else could use that exact API to do something a bit less friendly? Does anybody else feel a whole new batch of windows security alerts?
http://blog.heavensdomain.net
TFAs only mention XP and Vista, but I have Windows 2000 (it will be the last Windows I ever own, and I'm just keeping it running until my end-of-year trip to the USA, when I'll buy a Macbook) and was surprised when I woke up one day this week (either the 11th or 12th of September) and found my computer showing the "got restarted and waiting for somebody to log in" screen. Before I had a UPS, that happened now and then, but since getting a UPS, that shouldn't happen unless we get a major power failure that lasts longer than the several minutes my UPS's battery gives me. That hasn't happened since I got my UPS, and I noticed that other things around the house showed no signs of power loss, despite my computer having been restarted. /., I thought I might have discovered what happens, but TFAs only talk about XP and Vista.
When I logged in, Windows Update informed me that it had installed updates. That's hard to understand, since I've had Windows Update configured for a long time now to ask me before installing anything. When I saw the item on
So was what happened to my computer (running Win2K) the same thing? Did others with old versions of Windows have the same experience?
"It is nice to know that the computer understands the problem. But I would like to understand it too." --Eugene Wigner
While I agree with you in priciple, in order to file a lawsuit you have to be able to show some kind of damages. Now, if this update were to fubar your machine you might have standing, otherwise I'm not sure a court would take it.
IANAL though.
I'm really surprised that they think so little of us that they didn't at least bother to write up a canned statement about the update. Didn't they expect anyone to notice the patching? Many people take others messing with their PCs very seriously, be it micro$oft or some script kiddie out there, and track this kind of thing constantly.
Any word on what the purpose of the patching is?
Ubuntu installs the package "popularity-contest" by default, which reports every package you're using and how often. That's large scale stealth spying, but it's not proprietary so it should be ok...
Now if only we can get Microsoft to patch up all those virus riden spam bots and clear up the net for once and for all.
Since Microsoft is worried about Vista sales, they shouldn't be improving XP -- and I don't know why they would do that secretly. So, I wonder if this patch is supposed to reduce XP functionality.
Unfortunatelly, if MS is caught doing that, they can always claim "ops, it was just another bug". Nobody will notice.
Why hasn't someone diff'd the files that were updated and dived into the disassembly and checked to see what was actually changed?
Would be more informative than bitching about it...
Peace sells, but who's buying?
What is really sad is that everybody here blindly trust this "article" without really checking and re-checking other sources. That's the scary thing these days.
It's time to realise that Abble's products are the biggest abomination these days. Just say NO to the dumb iAbble way!!
Anyone interested in creating a supercomputer (read "computer-mafia" botnet) consisting of roughly 90-95% personal computers connected to the internet? I wonder why this wasn't already discovered by virus programmers, software that install without user interaction automatically.
...since Windows 95 even. It's part of the remote registry background process that facilitates the ability to read data from any file in the filesystem, not just only the registry files.
Dammit, Rob, for the last time: Please fix your bookmarks. We really don't need these updates of yours. Save 'em for your blog.
I don't manage any of our desktops, laptops, or Windows "servers" here at work, but I would expect that this would have some impact on our ability to manage the images we have distributed to these systems if this happened even. We disable the automatic updates service, but I'm not everyone does this.
Those are exactly the kinds of things you agree to with EULA's, and it's not just Microsoft. Software licenses get more bizarre and dickish by the day.
That's our life, the big wheel of shit. - The Fat Man, Blue Tango Salvage
There are three alternatives you can use if you want to prevent this:
1. Yank the network cord
2. Yank the power cord
3. Install some *BSD (or even Linux will suffice)
SIG: TAKE OFF EVERY 'CAPTAIN'!!
Scenario (A) Lazy Windows users, don't update there Windows to the latest Patches, said computers become infected with spyware/bots/trojans, everybody blames Micro$oft for having shoddy insecure software Scenario (B) Windows ensures than users always have the latest update & security measures by forcing updates on users, and everybodys blames Micro$oft for invading thier privacy Simple I know - but I can't really see what else is expected of Micro$oft? They lose either way.
Port blocking it is.... Nothing ticks me off more than someone "thinking" that they know what is better for me than I do.... I dont care who it is.. If Apple did something like this I would be just as pissed!!! In fact, M$ is giving me even more reasons why I love OSS...
Exactly.
The slashdot crowd are so keen to get their collective panties in a bunch over anything MS might have done that they ignore mere facts.
Also, Joe Wilcox is an asshat of the first water. No journalist he!
Anyhow, as this is slashdot, BURN TEH M$ LOLZ!
No, whats really scary is just how common it is for blind-MS hate and Linux fanboi-ism to cause people who should know better to do things like run with Windows Update turned off.
I happen to like the fact that all three OS's I use (Ubuntu, OSX and Windows) patch themselves automatically for critical updates. I don't get butthurt about any of the three keeping themselves updated. (Actually the fact that I can't figure out how to make Ubuntu do it truly automatically is a lingering sticking point I have with using Ubuntu because I have a few systems I just don't log into all that often.)
...as seen yesterday in that hot video. :/
-----------
Informal poll: Raise your hand if you are surprised that microSoft did/does sneaky updates like this.
What? Noone? Noone at all???
It's expected, by now, and accepted. Sadly.
Same old, same old -and one of the many reasons I've been mS-Free for 8 years...
"...there are some things that can beat smartness and foresight. Awkwardness and stupidity can." ~ Mark Twain
When you agreed to the EULA.
Your recourse if you don't agree is to stop using the software.
---- Booth was a patriot ----
My XP SP2 box does not have the versions listed in the article, and the was no related update event listed.
YMMV
If that update mechanism has a bug or something exploitable...
wow, that would enable some software to get a hold of the full installation base of windows xp..
If Microsoft can do it... then ANYONE can. That's the nice thing about back doors into software, especially one that lets you fundamentally change how Windows looks for new files.
Doesn't this violate every corporate network policy on the planet? What about the defense department?
What if the one of the computers was monitoring a critical system and the stealth upgrade crashed the system?
Isn't this a violation of Sarbanes-Oxley computer auditing requirements?
Food for thought.
Enjoy,
It's just the normal noises in here.
/.er:Windows is insecure, Microsoft is evil.
/.er:Where are my patches?
/.er:You're evil because you patched my system.
MS:O.k., we'll make a system the user can run and patch them system that way.
/.er:You're evil because most lusers won't set it up properly and the net will be taken over by these luser's machines.
MS:O.k, we'll patch the system involuntarily.
/.er:You're evil for patching my system that way.
MS: You've made a career at being happy with whatever prevails, right?
Politics is the art of looking for trouble, finding it everywhere, diagnosing it incorrectly and applying the wrong fix.
If the Automatic Updates service is disabled, you can't manually update Windows through the web site. This may be intentional on the part of Microsoft so they can initiate these back-door updates whenever they see fit. This also forces one to conclude that disabling automatic updates through the control panel does nothing.
(this may become obligatory comment sooner than you expect)
XP SP1?
Why havent these people upgraded to SP2 in the first place?
That's a fine setting for a home system. It's asking for trouble in a corporate environment, particularly one where you run custom applications or services. If this happens on your home computer, it's largely an issue of annoyance and inconvenience. If it happens to large numbers of computers in an enterprise, it may mean losses of millions of dollars. Most enterprises test patches on lab machines to identify issues before they deploy them. MS (or Ubuntu or Apple or whomever) has no business patching anyone's machine without permission. Period.
"The legitimate powers of government extend only to such acts as are injurious to others." Thomas Jefferson.
No, whats really scary is just how common it is for blind-MS hate and Linux fanboi-ism to cause people who should know better to do things like run with Windows Update turned off.
Many companies will not install patches - even the automatic Windows Update ones - until they have a chance to test it themselves and make sire that the patch doesn't inadvertently break mission critical applications.
Sometimes, even with known issues, the devil you know is better than the devil you don't...
I happen to like the fact that all three OS's I use (Ubuntu, OSX and Windows) patch themselves automatically for critical updates. I don't get butthurt about any of the three keeping themselves updated.
Wait until you get a call at 4:30 AM from an irate boss complaining that [Killer App A] is no longer working because a patch overwrote a DLL and it's now *your* problem.
If Automatic Update works for you - that's great for you. But for a lot of companies, automatic updates is like playing Russian roulette with a Glock 9mm...
I have my Automatic Updates (on XP) set to 'manual' (default is 'automatic') and my files are the older version (.374). But from the article it appears they aren't sure what process is intiating an update, and Microsoft hasn't revealed anything.
I recall similiar things have happened before, and Microsoft claimed making a mistake, and I believe them as they would surely get caught, but it's really just another wakeup call about your own system security, and freedom to control your own computer.
Why not have a cron job that does apt-get update && apt-get -y upgrade?
I'm going to go home tonight and read that EULA I breezed through when I installed Vista. By way of an analogy, by the terms of my lease the company that manages my apartment complex can pop in to my apartment to fix stuff or for inspections, but only after having given me notice and only during normal business hours. This would be like coming back home from a bar at 2:00 AM and finding a couple guys in my apartment touching up the paint on the door. Why Update would need to be updated like this instead of as a part of the normal update process, as it has been in the past, or why Update would need to be updated on computers where the user has turned it off, is beyond me. Either they're changing the Update site and don't want to leave any legacy access, even a link to download the upgrade, or it has something to do with the WGA/Black Screen of Pirate Death stuff. Regardless, I'm definitely going to be looking in to finding a Linux distro that is a viable pc gaming platform rather than suffer the tender mercies of Microsoft and the WGA.
This unbiased moderation brought to you by the Porcine Aviation Group!
I patch the boxes myself. I do it regularly. I CAN NOT have Microsoft patch them automatically because I run long duration tests that CAN NOT be interrupted by an update or a reboot.
This was definitely without my permission, and raises the question about who has control over my computer, me or Microsoft. If Microsoft can put files on my computer without my knowledge, then it is really Microsoft's computer, which is control that I find extremely objectionable.
man cron, then man apt-get
Sometimes, life itself is sarcasm...
I sure don't want any more updates from Microsoft. I'll deal with protecting myself from all of their exploitable bugs my own ways, it's far safer than letting someone who has already screwed me free to screw me again. If there is any sort of class action suit over this, sign me up.
I'm an American. I love this country and the freedoms that we used to have.
It seems like its just a few updated DLL files. Programs throw dlls around all the time. These do not seem to have harmed anything. However, it does not sound right. How did these updates get installed, that is kinda my question. Is Windows programmed to ocassionally phone home, and when it did, these updates got applied, or did MS have some bot that like scanned IP addresses looking for copies of windows and push these, or what? Kinda strange.
I somehow doubt, though, that the intent is malicious. While Microsoft may play dirty politics, and turn off pirated versions of Windows, I seriously doubt Microsoft would intentionally push software out that would screw up their own software. Chances are, this is just either an oversight on someone's part, or an improperly deployed update. Or it could be how Microsoft is planning on blackscreening vista users.
If Automatic Updates was turned off, how exactly did Microsoft reach out to this one PC, enable Automatic Updates, and then force downloads onto the PC?
Self awareness - try it!
...Wouldn't a simple firewall (such a Kerio personal firewall etc.) have picked this up?
who will Microsoft give this 'feature' to next, willingly or not? They can restrict the update to a
target range of IPs and then you won't have nosy people writing stories about mysterious windows updates.
What this means is that once the Chinese or Estonian hackers figure out how to do what Microsoft just did, then THEY OWN YOUR DATA.
How any corporation in its right mind could tolerate what is obviously an insecure platform to run proprietary & highly secret information on for generating profits for their shareholders is simply beyond my grasp.
Bo
It will be interesting to see how publicly traded companies square this type of behavior with the controls they have implemented for compliance with the 404 parts of SarBox (o/w known as "The full employment act for American accountants and auditors.")
How can a company say they have control of their systems when an outside company can come right in (pretty much regardless of your network controls, firewall, etc..) and change files on one of their computers at will. With 404 controls, you typically have separate test environments and strong processes to control how software moves into production environments. This hardly fits that model.
Suppose you were an idiot. And suppose you were a member of congress. But then I repeat myself. -- Mark Twain
http://en.wikipedia.org/wiki/Begging_the_question
Please read.
If you're running a reasonably robust firewall, shouldn't the OS be unable to call home?
The only thing that Automatic Updates, updates is itself, the AU service can be disabled, and this doesn't apply to computers running under WSUS (read: every corporate network machine, so only applies to home computers).
So it's not brilliant of MS to do this, but not the end of the world either.
Ok ok! There's no excuse, you're right.
throw new NoSignatureException();
I'd really like to know the purpose.
If it were anyone but MS, I'd assume it was a countermove to Storm or some other large botnet (you don't think Storm's the only one, do you?) which disables or subverts the usual automatic update process.
Knowing this is from MS, I wouldn't be surprised if it's WGA or some DRM crap.
Assorted stuff I do sometimes: Lemuria.org
2.) Select "Updates" tab.
3.) Under "Automatic Updates", select the "Install security updates without confirmation" radio button.
http://www.mhall119.com
As far as i am concerned, you need to have administrative privileges to alter those files. That means - MS does have them. So they have access to all data on affected (or should I say infected) PC. Now that's something authorities have to be VERY worried about. If they can use this loophole - someone else can act the same way. So much for privacy...
Ahh, what a pleasure it is to run emerge -uDN world. Updates only when YOU decide to do them. Ultimate freedom if you wish.
This freedom clearly overcomes all artificial difficulties with Linux. By "artificial" i mean hardware providers who don't provide drivers/specs and stupid patent regulations that require you to manually install additional codecs in order to play mp3/dvd. Linux IS a superior system because both problems have nothing to do with the system itself.
To get Windows Update to work manually:
I leave BITS off, but set it to Manual. I also leave Automatic Updates off, but set it to Manual. Before I run Windows Update, turn Automatic Updates on, AND SET IT TO AUTOMATIC (I'm not sure turning it on is necessary). When I'm done, I set Automatic Updates back to Manual before rebooting.
The Automatic Updates service needs to be set to Automatic for Windows Update to work.
That would install any updates, not just critical/security related updates. He said he wants security patches automatically installed, he doesn't necessarily want to update all of Gnome.
http://www.mhall119.com
No! It is the Windows Marlon Brando Lookalikes!
how long until
On a more personal level, I dislike most Microsoft products (with certain notable exceptions), because I think they have a corporate culture that promotes mediocrity and "good enough"-ness. As someone who has always labored to pursue quality and technical correctness as an end in itself, I find the inherent laziness in their products offensive. I understand this is a personal decision; looking at other product arenas, the mass market is usually filled with garbage. This is fine, and consumers should have a choice as to what they want to buy. However, I detest Microsoft for virtually eliminating the consumer's ability to buy better.
Also, they have an apparent contempt for both their competitors, which is understandable if unwarranted, and their customers, which is unacceptable.
I don't hate Microsoft for being on top. I hate them for being on top, while pushing an inferior product than the market would produce in their absence, on all of us.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
the article says that computers configured to update via WSUS were not affected. I can confirm that my computer wasn't updated. Most companies that pay attention to their updates probably use WSUS to manage them.
-- "Freedom is the right of all sentient beings" -Optimus Prime
So we have the list of files. Does anyone have a summary of WHAT was changed to compare the old and new DLL files? That would be more helpful than the anti-MS going around and simple list of files. I hate MS too, but for my dual box I wouldn't mind knowing what they did.
Maybe its one more move to enlarge botnets?
If MS is going to do what it wants to anyway regardless of the selections the user makes in the OS, they may as well not even provide configuration options.
It sounds like any selection you make in Windows is interpreted as a suggestion anyway.
OS: Thanks for selecting X, we've selected Y for you anyway because we think it's better for you.
For those of that do want a choice, we can switch to a different OS. I know as soon as major game support comes to Linux, I'm done with Windows.
We'll make great pets
It doesn't appear to have updated anything on my XP SP1system....ever. Of course, I've had Window's Update turned off from the get-go, so apparently something somewhere was changed with Window's Update from the default XP install (which doesn't allow 'stealth upgrades' apparently).
HAHAHAHAHA. That should teach you to never allow anyone to remotely 'update' your OS 'automatically' for 'security purposes' (or any other reason). Fools.
Exactly what I was going to say. Any larger organization worth its salt is using a standard image on their PCs. Changes to that image have to be properly vetted through a change control process. For Microsoft to make changes with AutoUpdate turned off is, quite simply, wrong.
You mean Microsoft is the evil Microsoft? I'm shocked! Shocked! Well, not that shocked.
Because it would imply that someone else has already found out how to subvert WGA for his own purposes.
Instead of forced upgrades by M$, Malware from who-knows-where.
C - the footgun of programming languages
Most of the places i work, i have to fill out 4 forms and get sign off from a change control manager plus about 10 other people before i can change software on a machine. Wish i had that kind of power.
If this goes sour though, im going to have a wonderful chuckle.
Couldn't really care if they want to push out that kind of rubbish to my windows laptop though personally.
Though i find some peoples comments amusing (like "do you really want to be running a non-patched box"). Since when did MS push out patches relating to security through anything but windows update? I suppose some people out there like to think the best of MS just like alot of us want to think the worst.
Now even MORE people will start switching to Ubuntu. Nicely done Microsoft! It's almost like you're on our side:
1. Over charge for Vista.
2. Make sure Vista is bloated and slow.
3. Make the 3d interface of Vista inferior to last year's 3d linux desktop.
4. Continue not following standards.
5. Continue attempting to lock people in with proprietary formats.
6. Make sure that Internet Explorer remains grossly inferior to Firefox.
7. Make sure that Outlook remains grossly dangerous and bloated compared to Thunderbird.
8. Try to thwart Piracy.
9. Windows Media Player. Seriously: WTF?
10. Lack a proper modern package management system.
11. Fail to make any OS secure at all, ever.
12. Continue poorly coded and buggy updates.
13. Force said updates on people without their choice.
14. Have I left something out?
It's almost like Redmond is DEMANDING that everybody upgrade to Ubuntu. Maybe I'm missing something, but now with the opened up ATI drivers, the continued improvement of dozens of FOSS apps:
Firefox
Thunderbird
Open Office
Gimp
Pidgin
7zip
VLC
Rhythmbox
Ardour
etc.
And how seriously bitching all the compiz-fusion eye candy is.... All we need now is a couple of really good games to leave no reason for people to continue using Windows. And we already have a couple:
Urban Terror
Mupen
Anyone else smell the dying last few breaths of the Microsoft hegemony?
I hold very few opinions. I hold information based on observation and fact. If you wish to disagree, please use facts.
And Microsoft knows this. Thats why they have a couple of options available to system and network admins. WSUS is already on it's third version. If you don't want to use that, System Center Essentials includes a similar feature.
My Sysadmin Blog
Spanners lead to a natural monopoly: a spanner is only as useful as the nuts it will work with. Electrical outlets too: no good if nothing will plug in to them.
But make a standard fitting (1/4 inch Whitworth, for example) and the natural monopoly becomes a natural free market.
Your OS could do the same. Standard API, unique implementations, propriatory conbinations and accessories.
The point is, the user does not want updates to happen automatically and has shut this off. I don't mind updates to be downloaded, but it would piss me off if they installed without letting me decide when and if. An update can break things. It can change the behavior of how your system works etc. At least when you tell the system to update and after that if something doesn't work, you have an idea of who the culprit is.
Blind MS hate? Bitter experience, more likely.
"I've got more toys than Teruhisa Kitahara."
But if M$ is going to do this, I wish they'd get off their ass and apply the patches to all of those 'owned' zombies out there participating in Storm, etc. botnets.
Otherwise, if M$ is going to f*ck us like this, I would prefer to be kissed first...
They may have disabled Windows/Microsoft Update but did they disable Internet Explorer separate setting regarding BHO updates? The only thing updated was the Windows Update API, this would be done if the BHO saw an update and went to get it (which it should).
I think this is all a big drama over nothing. I highly doubt the person actually disabled the correct option.
Microsoft did it.
-
=D
This is basically a backdoor.
-b.
>>Programs through dlls around all the time.
Dlls ARE programs. Most of the functionality of the system is in Dlls.
Could you elaborate how the updates to the Windows Update subsystem have the capability of breaking Killer App A? I'm curious to know.
As evil as this is, don't think that MS doesn't know anything about backward compatibility. They already bend over backwards to ensure older programs run, often going to the level of fixing memory management issues via shims. Why would they want to create more work for themselves? Oh, right, because they are innately evil and out to screw everyone. I forgot what site I'm on.
-b.
M$ sucks for all of the things you mention but they are all non free software facts of life. Windoze is insecure because they don't have enough developers to do things right. M$ is evil because they force what's wrong onto the entire industry. Non free auto updates are evil because they have nothing to do with security and everything to do maintaining a monopoly. This is what you have to do if you want to keep users divided and helpless, and that's what non free software is all about.
Uncontrolled updating is crazy. Home users will be angry when things break, as they always do in the clannish non free software world. For IT, this is an unacceptable threat. Business can not tolerate external meddling like that, because it shortcuts testing and will cost real money when hundreds of people come to work and are unable to do their jobs. It's insanely arrogant for them to expect get away with this and that they would try is a sign of their increasing desperation in the face industry revolt. Vista is a failure because non free software works for owners not users. This has always been the case, but auto updates make it obvious. With auto updates, you can never be sure what works today will work tomorrow.
DMCA, Hollings, Palladium. What might have sounded like paranoia is now common sense.
What OSX patch installed itself automatically? I have run .1 though .4, and I don't remember a time waking up in the morning to find my computer rebooted and sitting at the login prompt. I also run Debian servers, the base for Ubuntu, and I have never had a system update without me logging in as root and running apt-get to get the updates. Tell me which updates pushed automatically for each OS you say auto updates without prompting and I'll look it up and confirm it, but I don't know any or find any for Debian or OSX.
-----BEGIN PGP SIGNATURE-----
12345
-----END PGP SIGNATURE-----
I can recall their updater running without my say so a few times now. So I figure my still running Windows is implicit consent. And frankly as someone "technical" yes it seems offensive, but if you consider Microsofts position when faced with a potential security melt-down all over the news vs. a little whining on /. it seems like an easy thing for them to do. And it wouldn't surprise me if their updater was remotely exploitable. Actually it would surprise me if it wasn't.
-- http://thegirlorthecar.com funny dating game for guys
Just sayin'
How do you know these guys did not have a virus or a trojan? Why immediately and jump MSFT? One of the first things a trojan would do now a days is to disable windows update or protect itself from update. So first prove it is not a virus and something emerging from Redmond before you blame MSFT.
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
+447831737715
Well if this is making changes to WGA, then Microsoft might be guilty of an offence under UK law. I guess it depends on the contents of the EULA. What does "unauthorised" mean, and if you asked not to be updated, is the update "unauthorised"?
Section 3 follows: 3 Unauthorised modification of computer material
(1) A person is guilty of an offence if--
(a) he does any act which causes an unauthorised modification of the contents of any computer; and
(b) at the time when he does the act he has the requisite intent and the requisite knowledge.
(2) For the purposes of subsection (1)(b) above the requisite intent is an intent to cause a modification of the contents of any computer and by so doing--
(a) to impair the operation of any computer;
(b) to prevent or hinder access to any program or data held in any computer; or
(c) to impair the operation of any such program or the reliability of any such data.
I'm no lawyer (far from it) but haven't I read somewhere that changing data on someone else's computer is illegal? In this case, maybe they just wanted to speed up mouse/joystick response to improve game playing performance. Maybe. And most game players would be properly grateful for the improvement, maybe.
But what if this is a keylogger? I can think of many, many pieces of software I don't want installed on my PC by MS, or anyone else, some of them even legal.
I've had automatic windows update turned off since they invented it. I also have a firewall that is set to refuse connection from microsoft (or at least not set to allow them). I'm at work right now, and my machine here at work hasn't been given this particular update, as we push windows updates to our users on OUR schedule, not ms's schedule.
I can't wait to see if my system at home was proof against this stealth update.
And the suggestion in one of the articles to terminate the update service sounds good too.
I think MS may have stepped on or over (maybe way over!) the line of what they're legally allowed to do. I suspect that in the rush to tighten up the legal system for the War on Terror, they might now be qualified for membership on a list with Al Qaida in Iraq...wouldn't that be interesting?
Anonymous coward for this discussion, member since a long long time ago...
...some of which only run on Windows.
3ds Max is the big one, my business is built on it.
If you're using Windows, unplug your ethernet cable... permanently.
You'll lower your chances for Malware too! It's a great new feature of Vista.
+1
Very insightful and exactly my thoughts. Large corporations need to control what patches are installed on their machines and won't perform any upgrades until they've fully tested update. Microsoft can destroy that controlled environment by upgrading a computer without anyone's knowledge.
Microsoft operates these days just like the malware people. Microsoft is untrustworthy.
You can lead a man with reason but you can't make him think.
None of them have the indicated "stealth" updates.
The only computer that has the "7.0.6000.381" versions is a laptop that I explicitly updated last night (before reading about this issue.) Both the Win XP Home and Win XP Pro partitions have the newer wu* files... the ubuntu partition does not ;-)
Do you have that ugly Windows Security Alerts shield in your system tray? Mine is turned off. Maybe the wscntfy.exe program gets some updates for the update program... and I don't have that running.
At the end of the day, I suspect there is a way to prevent "stealth updates", and it won't be anything sinister, just average programming at work.
This issue is a bit more complicated than you think.
Then he simply needs to deselect all but the -security repositories for his version of Ubuntu. Works fine for me.
checked whether my virtual box's XP did it, but I figured out the first thing I did with it was disabling the internet connection for the virtual machine, I feel relieved.
Copyright infringement is "piracy" in the same way DRM is "consumer rape"
You are buying the license to use the software, you are not buying the software itself. People do not seem to understand this. You are given permission to install and use the software, that is it. While that software is running it is still property of Microsoft and guess what? you've agreed to this already in the EULA. Microsoft can configure and set it up any way they like once it is on your system, because you've accepted the software "as installed". I suggest blocking outbound ports on your firewall if you are concerned about this.
You DID read the license agreement / EULA that came with it, didn't you? No guarantees, anything can change, yadda yadda...
It seems to me that Microsoft believes that my system is somehow there property. Yes, I know that their software remains their property and I am merely licensed to use it (as long as I agree to use it in ways they say are OK), but really... come on now... never have Microsoft alternatives looked so good to me.
It apparently already goes through firewalls (hard and soft) that someone previously has mentioned. I'm not sure how, I'd have to have a packet sniffer on the line to see what is being sent and received. My assumption is it does an open port scan/stealth scan on your own network to see what ports are available on the outgoing then calls home.
Wait to see what will happen once some bright young (or old) hacker finds a method to subvert this forced update to go to a different site.
It'll be similiar to a McDonalds slogan.
1 billion botnets and growing.
But then he would have to reselect them when he wanted to update from them, my solution further down the thread does what he wants with minimal hassle.
http://www.mhall119.com
Clearly if MS thinks they can do this then they also think your computer is their property or wholly owned by them. People only seem surprised because they still believe they are the legitimate owners of own their machines. This is a very good legal question, actually.
Also, I don't see anyone asking the obvious question - why did MS choose to do this by stealth rather than openly? Something is up, now my curiosity is piqued.
Of course, another good question is why they thought nobody would notice. Makes me wonder if they've successfully done this many times before without anyone noticing.
"If not for MS, somebody else would be making cheap, consumer-grade software "
http://www.windowsmarketplace.com/details.aspx?view=info&itemid=3268636&WT.mc_id=0107_54
In my world, $260 for an operating system is not cheap. In the Macintosh world, for $130 you get the same thing, and for $200 you can install it on every computer in your family (within reason). In the Linux world, that's pretty expensive.
At one time, MS software was cheap, but once they wiped out all the competition, the price rose dramatically. I used to be able to get upgrades to MS Office for $130. I used to be able to get Windows for $79. Microsoft software is now expensive, and now I find out that the damned thing will upgrade itself even when I tell it not to. What else is MS not telling me?
Microsoft will no longer get money from me. Maybe from some other person is not well informed, but I can't see how anybody would voluntarily submit to this behavior.
You were mistaken. Which is odd, since memory shouldn't be a problem for you
The sneakware addressed possible exploits which were imminent or active, exploits that revealed shoddy engineering so as to undo years of p.r. saying Microsoft now gets security, and exploits that could be immediately and effectively implemented if Microsoft fixed the problem in a public way. Why else would it be done stealthily, pre-emptively, and not part of Patch Tuesday?
We are sure that Microsoft was the one patching?
If the "firewall" is running on the Windows system in question, then there is no way to prevent the process doing the updating from hiding the fact from the firewall.
press f3 ...
type wuapi
wait
right click, properties version tab
losers
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
I keep the windows update feature disabled since it first appeared. My Kerio firewall never reported Microsoft trying to call home.
The best way to have a clean, updated and (relatively) secure system is to slipstream Service Pack 2, SATA/SCSI drivers and RyanVM's updates into a nice small package with nLite. You can also clean useless stuff such as the Tour, old drivers, the Wimp etc.
There is also Xable's update pack at http://udp.xable.net/ which is more regularly updated and smaller but contains only critical fixes.
Comment removed based on user account deletion
Keep in mind that you haven't *bought* Microsoft software, you've bought a license to *use* Microsoft software. Microsoft has retained ownership of the software, itself. As to whether "stealth updates" are legal or now, find a lengthy open time slot, get out a magnifying glass, and *read* that license that you clicked "I agree" to.
Monopoly issues are only slightly relevant, as a competitive software market might force more attention and consideration into licensing. Shoddy software is only slightly relevant for the same reason. At the base of it all, you NEVER own proprietary COTS software that you "buy", and that's not just Microsoft.
The living have better things to do than to continue hating the dead.
My win2k3 server box did the same thing.
I hope to God you're not an engineer of some type - do you always just leave things to chance?
You need to be more proactive: Get a static IP from IT (if in a corporate environment), or pick one from your home subnet. Assign it to the NIC, and remove the default gateway before you run a job. You could even automate it.
That way, nothing is leaving the local subnet until you reassign the gateway.
That's one way to solve the problem, and there are many refinements that could be done to that.
Another, of course, is to just disconnect the network cable, assuming you don't need LAN connectivity during these tests.
But, it sounds to me as though you just want something to whine about... and, looks like all the people here with more mod points than brains agree with you. Or, you're not very bright, in which case, neither are the people that modded you up.
Man, I just love Slashdot these days. Many of the people here now don't think - Hell, most of those seem to be incapable of doing so.
...Microsoft did install a whole *OS* on my computer without my permission !
And the worst part is, it was *before* i even purchased it !
You are completely wrong. You don't have to agree to any license to use linux at all. You can do whatever you want with it within the bounds of copyright law without agreeing to anything at all. The only time the license applies is when you want to do something copyright law prohibits. That's COMPLETELY unlike the windows licensing situation.
It is completely accurate to say that your copy of linux is completely yours. So is your copy of windows for that matter, it is just a question of wether or not the creators of the software acknowledge it and try to restrict your usage later with extra license terms you are promted to agree to at install time.
If I was an amoral monopoly desperate to stimulate sales of my new operating system, and said operating system was so benefit-free that the only way of shifting it was pre-loaded on new hardware, I would perhaps consider updates that impacted the performance of my earlier one. If I could get Joe User to think 'Hey, this old machine is getting slow, perhaps it's time for a new one' then I win. Is this too fanciful? Anybody done any performance benchmarks of vanilla XP versus a fully-patched one on the same box?
Isn't accessing another person's computer without their permission illegal? I mean if I can go to jail for accessing an open wireless network and I can go to jail for hacking into your computer to view your personal pron stash, then isn't this a punishable offense?
You linked to twitter's journal, eh?
Indeed, I did and I'd like to thank all of you Assholes Cowards for pointing it out to me. I ordinarily ignore your posts and don't pay much attention to user names. Your "ERRIS is the TWITTER" nonsense finally enticed me to look and I like what I found. Please keep advertising twitter.
Non free software is a vital part of any government's attack on people's liberty. Besides the direct attack on software freedom, non free software is used to keep tabs on citizens and censor their news. Even when it's not directly abused as it is in China, non free software is insecure and presents an unacceptable treat to the free internet and every form of free communication. Twitter points these things out and I'll continue to link to him and others where appropriate.
DMCA, Hollings, Palladium. What might have sounded like paranoia is now common sense.
Did anyone bother to see what the updated files are for? No? It is an update to the Windows Update software. Not any "core" files, but essential if you want Windows Update or Automatic Updates to ever be able to check for updates. These files are version 381, I am sure the same thing happened when they updated to version 374 and I bet no one noticed then....why?....because it isn't an issue. If you don't want the automatic updates then you wouldn't have the service running. No service running, no updates are downloaded. It is a simple as that.
--
...Why has no one has asked the vital question "what was in these updates?" I want to get beyond the bickering over the EULA and find out what they did before I decide whether or not to strongly or just mildly object to it.
Doesn't this mean if someone were crafty enough they could fake being Microsoft (with some nasty network hax0ring) and install whatever they wanted on pretty much ANY Windows machine connected to the intarweb?
Like I said, I could be an r-tard.. but...
I do not respond to cowards. Especially anonymous ones.
According to comments posted to the Joe Wilcox "Microsoft Watch" story that is cited in the summary, Windows Update updates itself since at least XP SP1 (and the comments have a link to a Microsoft page that talks about this).
Disabling Automatic Updates using the Windows Update Control Panel apparently does not include disabling updating of the Windows Update software itself. There are reasons given in the comments and the referred Microsoft page, if you want to see them, but regardless, Microsoft should be more clear about this and should be taken to task for not doing so up till now.
If you want to disable even updating the Windows Update service itself, then you should use the Services control panel to turn that service off.
-- "I never gave these stories much credence." - HAL 9000
*If they're not lying
They updated the windows update engine, That's not going to affect your apps, homegrown or otherwise.
If windows update was really going to stop working altogether if this didn't get applied, It would make sense to apply it before everything died. (making it impossible to apply it easily)
I seriously doubt they had to do it this way. Unless there was some y2k like bug that would cause it to die off, they could have launched it nominally. My guess is they made some big change to their backend and needed to do it this way to make thier lives easier.
Scarier yet, If this has something to do with windows genuine and they plan to route out all the non-genuine licenses.
Windows update in it's current state is in pretty bad shape. I work for a decent sized company. It can't seem to update machines without locking a decent percentage up for 15-20 mins with 100% processor util. WSUS3 improved that situation somewhat and updated the WU system. The best possible scenerio is that this a product of that fix and they rolled it out silently to improve user's perception of thier products. (unlikely)
All they are updating (so far) is the windows update mechanism itself. There are probably many valid reasons why they'd need to do this, the big one being to ensure you are able to get important updates in the future. We all know that millions of end users out there ignore windows updates until it's too late. If they ignored a fundamental fix/update to the update mechanism itself, they might not be able to get important updates in the future so I can forgive MS somewhat for forcing this type of update.
That said, if they ever use this mechanism to fiddle with the rest of the OS without your permission, it's a huge breach of trust. It would also be disturbing if they are using this mechanism to strengthen Window's activation/genuine advantage DRM.
And yes, a warning or notice of such activity is the least they could do.
Disable BITS and Windows Update in Services. Turn them on when you want to update. Turn them back off when done. Remember to reboot when disabling them.
Ho-ho-hold on, hold on one second. This installation has a substantial dollar value attached to it.
Where we have strong emotions, we're liable to fool ourselves. -- Carl Sagan Sh!fty
but disappointed in what MS continues to do. I am also one of the people who turns off automatice updates. I like to know what I'm installing and what will be changing. Why would I want to install a patch to WMP that "fixes" the way to get around DRM media? MS has money and it has lawyers so I'm sure we granted permission somewhere in the EULA but that doesn't make it ethical. MS gets away with a lot of things they do simply because they can. Who's going to stop them? and who's going to replace them? I was actually supportive of MS business practices up until XP came out. Activation, limited functionality, WGA, updating when I specifically said not to...I'm drawing the line here. Sell your product but keep your hands off once I have it.
Maybe because recent history has shown that MS patches do at times break your computer, and sometimes do so intentionally though incorrectly (if they think you have a pirated copy).
Microsoft defines infringement as theft, I don't see why this wouldn't work in the other direction. If illegal installation of Windows is stealing, this act is a simple case of breaking and entering with theft of your hard drive space.
Someone should file a lawsuit and set a precedent. It's crazy enough to work
So while I may click "I Agree", that is agreement in principle only and by no means a guarantee that the OS will actually be able to complete said auto-update.
Just highlight the said file in explorer, then Alt-Enter and Control-Tab. The version number is right there.
I'd only check this via strings if I were already booted into Linux.
Ha, my confirm-you're-not-a-script is "cleverly"!
OK, let me get this straight.
Every time I've gone to Windows update and there's been an update, I see the Windows Update needs to update files, then a prompt to INSTALL A NEW PROGRAM. It then prompts me with "Windows Update needs to update your files to work with this version of Windows Update". It doesn't run the installer until I click OK. (I just watched it in ProcExp).
So what, the end user just clicks the Install ActiveX Dialog, then the "update my system" dialog, and is pissed off because their system did what they just let it do?
W. T. F.
I'm more pissed off when MS askes me to update my system and NOTHING HAPPENS. This guy is complaining because MS asked him if they could update his system, he said yes (TWICE) and it did.
If you don't want updates, don't go to the friggin' Update Site.
www.christopherlewis.com
Sorry for replying to my own post, but further reading suggests this isn't nearly as bad as TFSummary makes out. If you follow the links to the stories on the other sites, and read the comments and links given there, a lot of people are suggesting that this is only updating Windows Update files when you visit the Windows Update site, and not in fact a push of arbitrary changes at all. There's so much hype and FUD flying around this discussion that it's hard to see the wood for the trees.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
I seriously doubt Microsoft would intentionally push software out that would screw up their own software.
(set TINFOIL_HAT= TRUE) For now.
Look at it this way: Someone has installed files that directly affect the operating system itself on your personal machine without notifying you that it was being done and, in many cases, despite having told them not to install anything. It's the ethical equivalent of someone sneaking into your house and messing with your stuff behind your back, even if it was, "for your own good".
I'd be pretty pissed- and quite worried- if my "friend" decided to update my system software over the net for me without bothering to ask first even if it was with the best of intentions- especially if I'd told him not to do it in the first place and thought I'd set the machine up so nobody could do that.
This also doesn't say much about the security of Microsoft's software. If they can surreptitiously install system DLL's over the net without your knowledge -even when you've explicitly told them not to- despite your having carefully installed all the nice, effective security patches they require you to install and having your machine armored against intruders from the network doing just that, how long do you think it'll take before some bright boy to figures out how to install HIS "update" through that same mechanism without you noticing?
Backdoors are NOT good things, no matter who's got the key to the door.
I suggest running a non-MS firewall, that seems to have blocked their little incursion.
I think people's objection to this is if MS can update your machine without your knowledge or consent, so can h4xx0rz. Also, there is an often valid "if it ain't broke, don't fix it" motto. If your machine is running don't fuck with it!
Of course, if you decide, after-the-fact, that you really do want a Windows license, you will have to buy it at retail for $200.
OCO is Loco
I wonder why nobody ever even started to mumbl by the fact that windows update always told you "Important security update" while they installed the new version of Windows Activation.... that's just a lie, has nothing to do with security.
They can *bill* me.
While Microsoft is not selling, only licensing the software for you to use it, Microsoft is not entitled to "trespass" your own, (inter)net(work) connection, financed by you, in order to connect to your computer without your explicit permission - especially not against your explicit will, which declares that you don't want automatic updates.
Basically sending those files to your computer, using your resources, against your explicitly declared statement is not different than a hacker illegally breaking into an NSA, FBI, etc. computer. Illegal, punishable by severe jail terms.
It would be interesting to see a class-action suit with those charges against Microsoft as a company and against the CEO, and each of the board members as private citizens.
But of course, in order to use software it needs to be copied into RAM. This is the historical legal justification for software EULAs. You can't put a EULA on a lawnmower to tell people what lawns they can mow with it; the doctrine of First Sale prevents that. You can't put a license on a DVD or CD telling people how they may use it, either; only how they may copy it. It's only that particular quirk of software that to use it you must copy it which supposedly makes EULAs valid, and AFAIK (though IANAL) that theory has been invalidated on the grounds that copying from disk to RAM inside your own computer for the purposes of software is fair use and necessary for the product to be merchantable as advertised.
So fuck EULAs. Your computer is your property and if Microsoft does anything to it against your wishes they should be held criminally liable.
-Forrest Cameranesi, Geek of all Trades
"I am Sam. Sam I am. I do not like trolls, flames, or spam."
I am taking my computer back, I am going to erase this malware operating system and install Linux. I have used Microsoft products since the first version on DOS and this is the last straw for me. Hmm, now which tasty version of Linux will I take a bite of? I'm sure someone here will make a recommendation, I will actually go to the store and buy a copy because I want to.
Wait until you get a call at 4:30 AM from an irate boss complaining that [Killer App A] is no longer working because a patch overwrote a DLL and it's now *your* problem
It doesn't even have to be a buggy patch either. A sysadmin at one of the companies I used to work for applied a sendmail patch to one of their mail servers w/out testing it first and all of a sudden no one's getting their mail. Apparently the issue was that the mail spool path had been changed to something non-standard and the patch assumed the mail spool path was in it's standard location....whoops.
To my knowledge it hasn't been tried in court. Just because MS thinks it is legal doesn't mean it actually is. From what I understand it wouldn't hold muster, the problem is that nobody has the cash to fight it (here's hoping the EFF will do it). Any lawyers out there that can comment?
I mean, I could sell you something and in a EULA demand your firstborn, that doesn't make it legal.
Writing style, paranoia, whiny foot-stomping tantrums at Microsoft.
Oh, and don't forget those times when you forget which account you're logged in under. Or is it all just an astonishing coincidence that you're both living in Baton Rouge, Mr. "I haven't shoulder surfed any Vista users in LSU's student union"?
You aren't fooling anybody, you know. So how much does Microsoft pay you to besmirch the reputation of Free Software?
captcha = "superset". How ironic.
I wish my harddrives had a physical write allow switch. Simply install your OS then switch off write access. If there was updates you would switch it back on when you wished to install it. All other configuration settings would be on another disk - delete that and you'd have a fresh install (with updates). My guess is this would save tons of time for system admin. Virus on your box? Shutdown, put your disks in "storage" mode (where settings would not be read from them) and use your antiviral software (which is located on your write protected disk) to scan it.
Like alot of Microserfs I thought Windows was the best. I moved to Linux for a year and realized it has so many more features even only considering the GUI's. Now I'm on a contract with Windblows and ever week I run into a blatant bug. From IE dieing silently to Outlook taking 2 minutes to do a simple cut and paste. From file searching not working (I know, this was intentionally defeatured by retardosoft) to file deletes which take 30 minutes. I've concluded Windows users are dodo birds. They do not know the climate has changed. I guess it's like the blue cross company where I contracted in 2001 who still did EVERYTHING through a mainframe. The old timers had setup the company in the 1960's and it worked then so they figured why change. Winblows is the same: a real productivity killer.
I remember a few years ago when I use to do that retarded "send bug to Microsoft" popup thing almost every day. It became a joke. How many times would they popup the notification yet never fix IE? I gave up after about 3 months. I realized they had no intention of fixing their bugs. Like one friend proposed, the software industry should impose penalties for bugs.
Expect Freedom.
On /. you could use the equivalent of efficiency, which is efficacy, and your (i.e. you're) new statement would be valid/void.
I bet the stupid mods rate this inflammable...
If you don't know what AltaVista is (was), get off my lawn.
Oh yeah. No patches, and when time comes, just buy a new shiny machine with new shine OS, eh? True MacSpeak.
While reading TFA, something in TFA caught my attention, here a list of changed components:
1. cdm.dll
2. wuapi.dll
3. wuauclt.exe
4. wuaucpl.cpl
5. wuaueng.dll
6. wucltui.dll
7. wups.dll
8. wups2.dll
9. wuweb.dll
1.Iwonder.dll
2.whenmsft.exe
3.willsee.dll
4.youcan.dll
5.usemore.exe
6.than8_3.dll
7.notation.dll
8.innames.exe
9.1984want.scr
10.itsdos.dll
11.back.txt
So the solution to the problem is to pay for more software from Microsoft? Yeah, I can't see any reason why anyone would be upset about that.
God is imaginary
Why won't my car manufacture forceably upgrade or fix my car for free in the middle of the night? Is it their fear of being shot or arrested for trespassing? If they notified me as to when and what they planned to do I'd most likely acquiesce. I wonder if they could make me put the factory radio back in, put the OEM tires back on or use OEM filters. Could they stop me from driving if I didn't comply immediately. No, because those damands would be unconsciencable in today's buy-the-foundation-motify-it-to-suite-your-needs markets. Are they allowed to send ad reps to look at my car at my private residense and then send me junk mail on top of the junk mail I receive for the stuff I already bought? Funny how they wouldn't dream of forcing poeple into that, simply to drive a new car. Or buy someone's used car. "Well if you don't like M$ tactics, use something else." The year is 1900, "If you don't like AT&T, use something else to communicate with the majority of poeple." In comes the government and sets standards and regulations. To bad I equally distrust the current government to do it right. flame and nit pick all you want...
I wonder if a class action suit against Microsoft or better, a criminal investigation for (depending on what they exactly did update, and more importantly how they did it, with WUA set to off) maliscious abuse of property or breaking into an electronic device (the same stuff that crackers get charged with) would come out?
If Microsoft could update Windows without your permission, it means there is a backdoor in the OS, put there by Microsoft. Microsoft have done this before, namely back in 2000, there was a backdoor in ASP/IIS with the password "netscapeengineersareweenies", put there by Microsoft. That sort of thing could be incredibly destructive in today's virus/trojan laden internet. In onther words, I don't think it's as clear cut a case for Microsoft as you think. They could get into incredibly steep trouble with this (and since this will automatically come to the attention of the European Commission, there's a chance they might not be too happy about this as well)
This is my first time posting on /. but I've been a long time reader for many, many years. Microsoft good bye!
Before you fly off your handle, you should read your state's Sale of Goods Act (or whatever it is called). Most of these acts say some thing to the effect that if it looks like a sale, then it is a sale, which makes any EULA moot, unless you explicitly agree to it in a prescribed way - signed by both parties for example.
Excuse me, but please get off my Pennisetum Clandestinum, eh!
Um....WSUS is free.
My Sysadmin Blog
Microsoft has posted a reply here.
This space for rent.
Here is where I found this. Very interesting
:D
Q: Some people are saying that WGA is spyware. Is this true?
A:
Broadly speaking, spyware is deceptive software that is installed on a user's computer without the user's consent and has some malicious purpose. WGA is installed with the consent of the user and seeks only to notify the user if a proper license is not in place. If the user declines the EULA, WGA Notifications will not be installed on user's machine. Once installed, WGA Notifications becomes a permanent part of Windows XP software, and therefore cannot be uninstalled. However, users can disable non-genuine reminders by changing WGA Notifications setting in the system tray icon. WGA is not spyware.
So by definition, this was updated using spyware provided courtesy of Micro$oft. I'll bet Windows Defender didn't catch this one
Has Comcast disconnected your Internet account? Same here. You can read about it at http://comcastissue.blogspot.com
"When users launch Windows Update, Microsoft's online service can check the version of its executables on the PC and update them if necessary. What's unusual is that people are reporting changes in these files although WU wasn't authorized to install anything."
The question of whether Microsoft is in the right to update Windows Update executables without asking permission seems simple, but there are interesting aspects due to the closed-source nature of Windows.
One the one hand users (especially business users) have a legitimate interest in having their Windows systems remain stable and unaltered unless they wish them to change. So from that point of view it's not correct on Microsoft's part to change files, any files, without user's permission.
On the other hand, the Windows Update files only implement a functionality that allows Windows machines to communicate with Microsoft's Update services and nothing else. Strictly speaking therefore a Windows user has no legitimate interest in keeping those files frozen.
On the other hand, Microsoft has a clear interest in being able to change those files. Just imagine that Microsoft wants to change the compression format in which Windows Updates are sent. Or the protocol. Or the server name. It would be impractical and unreasonable to demand of them that they (a) ask individual users if they can please change the file format, the transmission format, the server name, or anything else (because this is no business of the user anyway), or (b) have to support umpteen different versions of Windows Update.
Furthermore, one can continue this line of thought and make a case that it's really none of the user's business what exact Windows system files are on his machine. They're all unreadable to him because they're binary, and he is debarred by law from trying to read them (that would be decompiling which is forbidden in the EULA).
In short ... when our Windows user bought a license for a closed-source product like Windows, which must (for security reasons) be updated regularly, one can argue that he didn't buy a license to any specific set of files but he bought a license to a system called "Windows", which promises him a certain functionality. And it's Microsoft who defines the technical details of what goes into Windows. Not the user. So Microsoft should be able to change the technical details of MS Windows, provided that the user retains broadly the same functionality as what he bought his license for. And certainly that part which communicates with them about patches.
Of course I'm playing devil's advocate here, but I think you'll see the logic.
Organizations with change control on system updates are not going to be relying on client side "Windows Update" functionality, because they couldn't control what updates got rolled out and when.
They'll be using SMS/WSUS, or similar, which TFA states very clearly and explicitly, will NOT push this update, silently or explicitly.
This whole angle on things is a non-event.
Who says they're being stopped?
Chas - The one, the only.
THANK GOD!!!
I agree wholeheartedly and vocally that people should always think critically and investigate, but there's another fact to consider:
Slashdot is a news aggregation site, and its users expect news it carries to be factually accurate (even if it's trolling or alarmist in bent). Supposedly, Slashdot's items are posted to the community after scrutiny by the community's members/peers, so they're up to the community's standards, however high or low those may be.
Firefox phones home by default.
That makes it spyware.
The whole article is a piece of FUD. There are no auto updates of any files happening if you turn Automatic Updates off. See here .
This space for rent.
You're right. MS has posted a blog here which pretty much confirms what you said. What I am really interested to see is if Slashdot will post a correction.
This space for rent.
I use WSUS and approve patches, or don't approve them. Normally Automatic Update patches are done through WSUS. They've updated this service several times.
Imagine my surprise when a lot of my workstation, with no one signed on, all started updating over my slow Internet connection & not over my 1Gb/s WSUS server.
Here is a log file from one such machine;
http://farm2.static.flickr.com/1109/1373440155_1800168f54_o.jpg
I have 64 kilobit/second pipes to some networks with a dozen or so computers. It does appear that this update respected my BITS policy of using no more than 1kilobyte/second. My MRTG charts show no burst. My QoS device rate limits HTTP to the Internet at a higher rate than my WSUS server, so it could have caused some late night calls.
It should have been the first thing you did anyways, after logging in and before connecting to the internet. Why anyone would want an auto update service with a company that has as many known problems and patch failures as MS is beyond understanding. If you disable the update service and delete wuauclt.exe, you've pretty much ended any issues with MS's update service.
Despite all its issues, Windows XP can be made to be relatively lean and stable as an OS. It merely requires heavy tweaking in the form of disabling "services" on startup. (Yep, really need that Zero Configuration Wireless service running on a wired desktop, yep yep....)
The cesspool just got a check and balance.
Is the platform to run it on free?
God is imaginary
cdm.dll is still .374.
Chain. Yanked.
It is clearly stated, somewhere in the EULA, that Microsoft can and will send updates if they are necessary (from MS point of view).
It was afaik first seen in the EULA addendum to a Mediaplayer update...
It happened to me with Windows 2000. A MS update called "Update Rollup 1" really badly broke ODBC connectivity with MS Access 2000 and back-end databases. It took a week to figure out why I couldn't relink tables (the dialog would just hang), and the problem was only resolved by uninstalling the update. Note that this was a case where a MS update broke another MICROSOFT product, and I had to lose a week of real work to resolve the issue.
It's important to realize that this has got nothing to do with the Microsoft EULA.
For Microsoft it's illegal to utilize your own bandwidth, network and hardware for sending you any update if this is against your declared will.
No amount of MS EULA can do that, since MS EULA can cover only Microsoft software, MS EULA CAN NOT COVER your own bandwidth you are paying for, your own network connection and your own hardware. Any unwanted Microsoft update utilizing any of these resources against the owner's will is illegal violation of your services, properties. Not different than a hacker's illegal break-in.
... that I own a Mac. -- Windows is for suckers!
Why didn't Mark Russinovich catch this nefarious, back-door root-kit type attack?
... he's been assimilated!
Oh yeah
If anyone that has played with WSUS knows there are a lot of Registry settings that allow more control over how Automatic Updates behaves than what the cheesy GUI control panel shows. Did the author of TFA check those before saying the sky is falling ?
If someone else can run arbitrary code on your computer without your permission, it's not YOUR computer any more.
Stop all use of Windows. We have a 100% no-Microsoft, no-Apple home. Stop making excuses and do it.
The TFA is a piece of FUD. See here.
This space for rent.
Enough of the hot air and FUD. Read The TFA is a piece of FUD. See here.
This space for rent.
You've been FUD'ed. See here. Relax and take a deeeeep breath.
This space for rent.
If you must use Windows pcs properly firewall them. I see some posters saying they had the pcs firewalled and they still installed updates. Sounds like they were not properly firewalled then. For instance, use PFsense and it's TCP stack fingerprinting and simply "filter" out Windows pcs from any internet activity. That way you can still transfer files/trusted updates to them over your network if needed.
Too bad for you the article is wrong. See here. Relax and take a deeeeep breath.
This space for rent.
Chances are...if you actually need WSUS, the price of the platform it runs on won't be that great of a concern to you.
My Sysadmin Blog
See here.
This space for rent.
Adium, an open source, multi-protocol instant messaging client installs an auto-update service that can't be disabled without modifying the source code, although it does (appear) to ask before actually installing detected updates. It is, however, still phoning home regularly, and this provides lots of interesting information about who is running it and where to the developers.
Firefox does the same thing unless you are very thorough in stamping out the places this behavior is configured. At least in Firefox it appears that it can be done. In Adium you cannot disable automatic update checking.
For the record, the things you should modify to make Firefox behave include:
1. Change the default start page.
2. Disable automatic update checking for Firefox, Extensions, and Search Engines, via preferences.
3. In about:config delete the value associated with startup.homepage_welcome_url.
4. In about:config delete the value associated with startup.homepage_override_url.
There are lots of other places Firefox would like to communicate with the mothership, but in most cases I think it asks before doing so, but I can't prove it always does. If anyone has a more complete list I'd be interested in seeing it.
Camino, the OS X Mozilla based web browser, is designed to load a Camino web page (which necessarily beams at least the information that you just installed a new version of Camino, what the new version is, and you IP address) the first time Camino is launched after being updated. This cannot, however, be disabled within the application; you must edit a configuration file inside the application bundle: Camino.app/Contents/Resources/WebsiteDefaults.strings.
The information may seem inconsequential, but that's really something I'd rather get to decide myself. And of course if it really were inconsequential, developers probably wouldn't go so far out of their way to make it difficult to disable such behaviors.
System -> Administration -> Software Sources, Internet Updates tab, check "Install security updates without confirmation."
Slay a dragon... over lunch!
Did you say something? I must have missed it. I'm sorry, but at -1, you're pretty much irrelevant. Even ACs have more privileges and interesting things to say than trolls like you.
Already posted that down-thread, but thanks.
http://www.mhall119.com
I know it hours later, and this'll be at the end of the thread that never gets read, but I just got home to check my XP SP2 machine which has been connected to the internet many times since late August.
The ZDNet guy said his wuapi.dll version was 7.0.something and had screenshots of the event viewer. (Although it I don't think he said which event log--Application, Security, or System)
Anyway, my wuapi.dll version is at 5.4.something and no update event in my logs.
Of course, I've only used windiz for updates and have not updated this machine with Windows Update.
FWIW.
you're not going to convince people spouting utter bullshit like that!
Bet it has something to do with this
unable to resolve function slashdot.sig(), aborting...
Problem is that U are not the owner or ur machine if U run micro$$ anything! Try, just try to erase the windows cookies.dat file on your windo$$ machine! U will not succeed. This is because U are not the root authority on a windo$ machine like U are on a linux machine. Also, as micro$ obviously and demonstrably beyond the shadow of any doubt by any open minded person can invade the personal property of a private supposedly free and sovereign citizen, paid for by that citizen, then what is to stop micro$ from installing other malware as well, or selling that ability to unknown others. Inasmuch as they can invade and install, might they also invade and copy or erase. Perhaps they might want to time limit your purchases of foolishly purchased 'downloads'. Perhaps they might want your social security number, your credit card details, your browsing history, your financial details, etc. These may be of much value, say, to a hostile country if you are in a position of authority of work on classified material. Recently China has been given the source code for all windo$ products in exchange for the illusion of being able to sell its malware in China. Shortly thereafter, nations all over the world came under successful hacker attack. Coincidence? Only a fool would believe that. Now that micro$ is patenting all kinds of intrusive adware that this software 'borg' has 'assimilated', you may also assume that future stealth 'updates' may incorporate also the facilitation of non blockable spam. Think of it. U are in the middle of a good game...and up pops a 'erection treatment' commercial. U turn off your machine in disgust! Hours later U come back and lo and behold the commercial is as well, resuming where you left off for its alloted time of Ur machine run until it relinquishes contol back to Ur program that has probably crashed. O well, micro$ had its fun and now U are pushin it! Now ya wanna go buy another 'system' from another 'besbuyy-jerkitsity-etc that comes not with an operating system disk set but only a set of 'recovery disks' that are not usable on any other machine? Now ya wanna use any windo#@#$%$# product on the internet AT ALL?
This message is brought to U on a linux machine, the only liberated computer system on the planet. Crack the whip China/micro$ on all u slaves.
Oh yes and by the way, just because some magazine says that certain files that windo$ surrepititiously installs on your machine are harmless, do not believe them. Most publishers are now controlled by a worldwide cartel, and editorials are now cheerleaders for micro$ in many places.
Frig where you all been...
..
Since before the big black out that saved m$ from that crazy virus.. M$ has ignored...
I mean it sends data if you open any help screen from M$ or play any file with media player..
I guess they figured no one seems to notice that we are gathering info.. lets get more!!!
The Germans proved that they send personal info even though they say they do not..
All microsoft has left is to entice big popular softwares to make there softwarez in there OS Dot net world and both the companies that depend on these softwares and the programmers them selves will be stuck in Micro$ofts evil dependance..
Its sad
One day you will all wake up from your sugar, fluoride, over commercialized world and say this has to stop..
You could just load Linux and work with the most community supported stuff and if you have to pay money use it to pay someone willing to share there expertise
Nothing worse then giving your money to some company that wants you to do things there way because it makes them fat on your dependence..
and they will not stop researching more ways to lure and keep you there..
Your loss
Are you on crack?
Perhaps it's just updating global timezone definitions ?
/. credo, right ?
http://www.scoop.co.nz/stories/SC0709/S00031.htm/
I distrust M$ as much as most of you here, but let's get some facts before we run our mouths off, eh ?
Oh, wait, that'd be against the
Someone should write a little freeware app to monitor AU communication. Then it can ask you, "do you really want to communicate with Microsoft Y/N?" If you say yes, and AU itself doesn't alert you of updates, we can at least see how often this is happening. On another note, hasn't Microsoft just opened a massive security hole? Surely some hacker will rise to the challenge in a few weeks?
This is Windows. Try 10's of millions of lines.
Perhaps Frosty Piss is not a native English speaker and has partially translated a foreign idiom into English. I know of at least three languages that don't use a base-thousand system for large numbers the way standard English does. Instead, its names for large numbers are based on powers of a myriad or 10^4, not a thousand or 10^3. For instance, Chinese, Japanese, and Korean have words for ten, hundred, thousand, and myriad. They have no single word for million (10^6) other than what literally translates as "hundred myriad". Tens of millions would be "thousands of myriads", still not enough for the next major name, which could translate as "byriad" (10^8).
(The More You Know, the easier it is to assume good faith.)
http://blogs.technet.com/mu/archive/2007/09/13/how-windows-update-keeps-itself-up-to-date.aspx
Apparently, it has done this all along, and it's a legitimate feature to keep the updater software itself up to date. It's a question not of "Who watches the watchers?" but "who updates the updaters?"
technical writing / development
at
where Nate writes
(Emphasis mine).
It's a pretty long post.
Just wanted to mention it here since there is no logic in it, and this explanation is simply wrong, since Microsoft controls both the Updating server and client, and can simply keep a version number for identification. In fact, you would think that Microsoft keeps a copy of past updates just so they can be replayed. So if very old version of Microsoft Update Client contacts the server, of course many past updates have to be applied, one of which will be the update to the update client.
So we are looking at two cases
(An example of why I stay away from Microsoft documentation and publications)
Stephan
http://stephan.sugarmotor.org
That may not work. Windows XP is designed to hide where some requests for internet access are originating. Run DLL as an App [lication] is an example. The point is not that this particular update was a problem. The issue is how much control does Microsoft retain over user's computers?
Kerio was bought by Sunbelt. Before Sunbelt bought Kerio, Sunbelt did some things which made me lose confidence in the company.
Does Kerio software firewall prevent hidden internet access? To do so it needs to prevent all leaks, and the last test I saw showed that it did not.
Then you'll start seeing stuff like this on the packaging:
USE OF THIS PRODUCT IS RESTRICTED. Your acquisition of a copy constitutes acceptance of the End User License Agreement for this product. You can read the terms of this Agreement at http://www.example.com/2007/(name of product)/termsAuthorized retailers would make available an Internet kiosk where the public can view such agreements.
You are just bringing attention to his account, which is what he wants. If a post is not modded up, just ignore it.
Did you say something? I must have missed it. I'm sorry, but at -1, you're pretty much irrelevant.
No, you losers read everything I write as Twitter. That makes me happy, and I might miss you when you are gone. Nah, I'll enjoy talking about nice things instead of M$'s latest evil move. That's the way things were before year 2000.
Your little modbomb must bring you great joy, but it does little to keep me from saying things here. Between that and the failure of Vista I'm not sure why people still you to pollute this place.
Congratulations on being a carbon-copy of twitter.
Or did you imagine that "shitdot sheeple" is any less of a trendy teenybopper substitute-for-real-thought phrase than "M$ Windoze"?
From the silly article, written by that farce of a company:
we update the client code for Windows Update automatically [even] if the customer did not opt into automatically installing updates without further notice?
Looks to me like they install things without asking, regardless of what the customer says.
The reason given is that they sometimes change their update process, but that makes no sense. Only Microsoft would make a client that can't update itself when the customer asks for updates. I can understand changing update mechanisms, but I can't understand not being able to do so smoothly with user knowledge and consent. Surely, M$ can afford to run more than one server if they can't make a server capable of doing two things at once.
Just to show what great guys they are, they promise to be more "transparent" in the future. That's really cool of them. When they release their source code BSD, GPL or some other free license, I'll consider them less Police State friendly.
DMCA, Hollings, Palladium. What might have sounded like paranoia is now common sense.
But if a use is "contested", is it clear? And if a phrase's meaning is unclear, is the phrase worth using to communicate?
When I shut down my machine, Windows did several reboots to install stuff.
NOTHING was supposed to be getting installed.
I never visit a windowsupdate site. I never even run IE. I keep updates set to perform the download ONLY, without running the install.
A few days or a week ago, I was shutting down. (in a hurry I might add; I needed to leave) Windows decides that it can't just shut down. It has to install stuff. WTF? It then reboots several times, installing all sorts of random Microsoft crap.
Not really. Many consumers rejected the idea of software licensing just about as soon as it was thought up. They consider the software their property and act accordingly, whether or not they actually bought it or (more often) pirated it.